Wednesday, 18 October 2006
Time for Europeans to ask for your travel records
In accordance with a decision made Monday, today the European Union and the USA Department of Homeland Security were expected to complete the signing of a face-saving new agreement on the use of passenger name record data by the DHS and other USA government agencies.
This brings to an ignominious conclusion the latest round of E.U./DHS negotiations on the rules for government access to, and use of, airline reservation data.
It does not, however, end the political debate or the legal dispute. The ball is now in the hands of European travellers, who have the power to force the issue through requests for their data and through complaints to European data protection authorities and the European Commission.
I've provided sample request letters to start the process, at the end of this article.
in 't Veld can only suspect how bad the situation actually is: only a censored ("redacted") version of the joint EU/DHS report on DHS compliance with its undertakings has been made public. The DHS has been breaking their promises to the EU and lying about what they do for years. I've been informed by a knowledgeable source that the DHS continues to access PNR's for flights weeks in the future, entirely outside the USA. That's a flagrant violation of the undertakings. I guess the DHS personnel don't realize that their queries are being logged, or assume that the logs will be kept secret from any auditors.
(It's impossible to tell from the redacted report whether the "joint review" was truly an independent audit, or what access those preparing it had to raw logs and other records that would be essential to such an audit, particularly data maintained and held by CRS's and other outsourcing services, rather than by airlines or the government.)
The new agreement was accompanied by a bizarre side letter from DHS staff counsel Stewart Baker (formerly chief counsel for the NSA) expressing the DHS's reservations and interpretations. Baker's letter is undated, and it's unclear if it was seen by everyone on the E.U. side of the table before the "deal" was initialed on 6 October. The E.U. press office released it that day, but the E.U. reply refers to its having been received by e-mail on 11 October.
Statewatch has posted many of these documents along with an excellent analysis of how Baker's side letter for the DHS strips the agreement and undertakings of any meaning, and leaves travellers from the EU even worse off than under the earlier "agreement" that was annulled by the European Court of Justice.
But the central problem is that neither an "agreement" signed by the Secretary of Homeland Security, nor "undertakings" published by his department in the Federal Register, have any legal force or effect. To be binding on the USA, an international agreement must be signed by the President, and ratified by the Senate as a treaty.
Article 7 of the decision by the Council of the EU on the new agreement provides that:
[T]he competent authorities in Member States may exercise their existing powers to suspend data flows to DHS in order to protect individuals with regard to the processing of their personal data in the following cases: (a) where a competent United States authority has determined that DHS is in breach of the applicable standards of protection.
But there is no "competent U.S. authority", since neither the "agreement" nor the "undertakings" have been ratified by the U.S. Senate as a treaty. Neither the agreement or the undertakings could be invoked as binding in any U.S. court, and no U.S. court would have jurisdiction to enforce them or to rule on any "breach" of these nonbinding DHS declarations.
Article 7 of the Council decision -- the "enforcement" article -- is completely meaningless.
What is to be done? Complain.
The first step is for people who made reservations in the EU for flights to or from the USA to request their data, and an accounting of how it has been used and to whom it has been passed on, from the airline (and, if you made reservations through a travel agency or tour operator, from them as well).
In almost all cases you will find (if they are honest in their disclosure) that your personal information was processed by one or more of the major computerized reservation systems (CRS's). If the travel agency used one CRS, and the airline hosts its reservations in a different CRS, there would be separate PNR's in each CRS -- each potentially with somewhat different information. CRS's used by travel agencies are subject to even stricter privacy rules than airlines, under Article 6(d) of a Code of Conduct enforced directly by the European Commission. So ask each of the implicated CRS's for their records about you, and an accounting of what they have done with them.
You have the strongest case for a follow-up complaint, once you receive your data, if you flew to or from the USA in the period from 1 October 2006 (after the old PNR agreement was annulled) and 17 October 2006 (before the new one was signed), inclusive. But whenever you travelled, and even if the new agreement is found to be valid and sufficient to satisfy E.U. law (which seems highly unlikely) you are still entitled to a full accounting of what data about you was stored, and who was given access to it.
The exact form of these requests varies slightly under each E.U. member country's data protection law. Because the largest number of travellers to the USA from any E.U. country is from the U.K., and because I'm writing in English, I've prepared sample request letters under the U.K. Data Protection Act. It should be fairly easy to adapt these for use in other countries:
- Request for PNR's and other travel records from a travel agency or tour operator: OpenOffice | MS-Word | text
- Request for PNR's and other travel records from an airline: OpenOffice | MS-Word | text
- Request for PNR's and other travel records from a computerized reservation system (CRS): OpenOffice | MS-Word | text
In the E.U., unlike in the USA, it's your data. Ask for it, and get your friends to ask for theirs.
Time permitting, I'll be happy to assist in interpreting responses, and suggesting how to follow up with complaints if your data has been used without your consent or sent to countries like the USA without adequate data protection.
[Addendum for USA citizens: Even if you are a citizen of the USA or another country outside the EU, you have the right under EU law to access the data about you, if you travel on an airline based in the EU. So if you fly on a European airline (most of which have better service than airlines based in the USA, and often are cheaper), you can, and should, ask for your data from the airline regardless of your citizenship. Jurisdiction of data protection law is complicated; I apologize for not making this clear in my orginal article.]
[Addendum, 19 October 2006: Stewart Baker (described in a Reuters report as "the chief U.S. negotiator") and the DHS still aren't satisfied: In Brussels on Tuesday, Baker "said Washington would push for the right to hold data on passengers for longer than the current arrangement of 3-1/2 years. 'Our usual rule for law enforcement data is that it is kept for about 40 years.' " As though travel were inherently suspicious, and travel records wee no different from criminal records. "Baker described restrictions included in the current accord as 'almost a code of conduct for the United States' but said he was confident that negotiations due to start with Europe would lead to some of them being relaxed in any future pact."]
[Further addendum: I've also provided forms that you can use to request your international travel records from the USA Department of Homeland Security, regardless of your citizenship or country of residence.]Link | Posted by Edward on Wednesday, 18 October 2006, 16:35 ( 4:35 PM) | TrackBack (0)